@krakjoe: The security policy could use some clarification as to how length overflow bugs are classified. Right now both "low severity" and "not a security issue" could apply and I don't think we're handling these consistently.